In this episode of the EM360 Podcast, Analyst Richard Stiennon speaks to Kayne McGladrey, Field CISO at Hyperproof to explore: Automating compliance controls vs SOAR automation, Helping CISOs, and if one master set of controls cover multiple frameworks
Hosts Kayne and Tom talk about how to create the Authorization Boundary, a cornerstone of the System Security Plan (SSP) as part of FedRAMP certification. Includes beer tasting notes for Black Butte Porter.
“We’re going to be talking about regulatory compliance, specifically FedRAMP, but we’re also going to be talking about…. beer?”
Kayne McGladrey, field CISO at Hyperproof.io, explained the dangers of such an approach. “Low-cost, high-speed and generally unmonitored networking devices provide threat actors a reliable and robust infrastructure for launching attacks or running command and control infrastructure that will take longer to detect and evict,” he said. McGladrey also pointed out that as organizations deploy 5G as a replacement for Wi-Fi, they may not correctly configure or manage the optional but recommended security controls. “While telecommunications providers will have adequate budget and staffing to ensure the security of their networks, private 5G networks may not and thus become an ideal target for a threat actor,” he said.
“Organizations should invest in a combination of asset management, endpoint detection, data loss prevention, cloud-based managed detection and response, and patch or vulnerability management,” says Kayne Mcgladrey (@kaynemcgladrey), Field CISO at Hyperproof and Senior IEEE Member. “Of those, asset management is the starting point, as an organization should have visibility into the devices accessing corporate data and be able to select and apply appropriate controls to those devices. Those controls then may include endpoint protection or data loss protection, for example, if exfiltration of sensitive corporate data may result in compliance violations.”
“Work from home is not necessarily new. I just think that for budgetary purposes many companies thought, “oh, that’ll be over soon.””
“We talk about ‘data breaches’ because of regulatory and statutory definitions that focus on the disclosure of data. An organization’s security strategy should work with the end in mind and focus heavily on denying threat actors access to those data with the highest regulatory, statutory, or contractual risks.” Kayne McGladrey, Field CISO at Hyperproof
As we approach 2023, it’s natural to look back on the biggest security events that took place this year and anticipate their effect next year. The previous two years have shown that our world is full of complexity and uncertainty, despite all the advances in data collection, compliance operations automation, and SaaS technology. Risk modelers and analytics experts know we can’t predict or control the world with any degree of certainty, but it’s important to brace ourselves for the upcoming threats and new opportunities the coming year will present. Here are three key risk management predictions we have for 2023 that will shape the risk management industry.
Since the initial release of ISO 27001, the threat actor economy has diversified substantially, with both criminal groups and nation states developing and selling offensive cyber products and cyber surveillance solutions. In response, cybersecurity experts have documented and developed best practices and actionable guidance for organizations to effectively manage their cybersecurity risks. ISO 27001:2022 provides a risk-based reference set of information security, cybersecurity, and privacy controls that have been adopted by modern organizations as part of deploying cloud technologies and addressing data protection requirements driven by GDPR.
“Out of all the CISO’s and security leaders I’ve spoken with over the last three months, the main theme of 2023 is going to be ‘the year of risk,’ and a lot of that risk we’re talking about at this level is regulatory,” said Kayne McGladrey, Field CISO at Hyperproof.
“Right now, there’s a bit of a Wild West mentality out there,” said Kayne McGladrey, field chief information security officer at security software company Hyperproof and a senior member of the Institute of Electrical and Electronics Engineers. “Companies are incentivized for being first to market, not necessarily most secure to market. Because security costs money and because it requires time and resources, naturally that becomes a lower priority.”
Cultural change takes time and is a journey, not a destination. Senior leaders, managers, and individual contributors all have a role and responsibility in ensuring that manufacturing companies stay safe from cybersecurity risks. Elevating cyber risks to the same level as safety risks will help companies to comprehensively understand and manage their risks now and in the coming years.